I'am pretty new at this topic and want to realize a token based user authentifications and wonder if that are the right steps to do this in a "pretty" secure way.
First on the Ionic App:
-> send the login data in plain text to the https server, via ionic http method
On the Php Server:
-> Compare username and password
-> If thats true, generate a secure key (min 25 characters)
-> Store the userid (plain) and key (MD5+Salt) in a table, with a expire time
-> Gerneate a JWT Token, with some userdata
JWT::encode($data, $secret);
-> echo the JWT Token to send it back to the ionic app
Back at the Ionic App:
-> Store the JWT Token in the local storage of the device
.. create some data ..
Send data to the php server:
-> $http post to the php server with some params
params: { userid : $scope.userid, jwttoken : $scope.jwttoken, datatostore: $scope.datatostore }
On the php server:
-> check if the post userid exists in the table where the keys are stored
-> if yes, get the key by filtering the userid and check if the time is not expired
-> if yes, decode the JWT
JWT::decode($postToken, $api_key, array('HS256', 'HS512'));
-> if thats success, do some server stuff like insert the data in the database
I know that there is no 100% secure way but I want to know if thats pretty save to use or if I have overseen something!
Thanks
